Over the past 3 days, various QuestionPoint e-mail clients have been under a spam attack by a “bot” whose e-mail message includes an automated script that hijacks the user’s browser when the question is viewed in the Ask module. The effect of this script is to incapacitate the user by forcing their web browser to load the targeted site in the script. This makes it impossible to either delete the sessions or skip it to view other incoming questions, transcripts, or sessions. The libraries that are affected are not related to each other in any way, and the message sent is one of the typical advertising spam schemes, in no way related to the business of either library. This problem has cropped up in the past, but very rarely, and was previously confined to single libraries, with the hijack script actually physically sent by a real person, (usually unwittingly). The current attack is far more insidious, being automated and consisting of multiple messages over a short period of time. We have concluded that left untreated, this vulnerability might permeate to other clients' accounts, as the “bot” gets smarter. We are therefore implementing the following change to QuestionPoint, effective Tuesday Jan 15 at 6AM EST (11:00 GMT):
Incoming email messages will be parsed by the server, and any instance of the use of the “<” character will be translated to “<” in order to incapacitate any automated scripting.
When viewed from within your QuestionPoint account, the "<" will display correctly, but if the transcript is emailed out to another person or sent in a reply, the "<" character will be replaced by "<", to avoid further unwitting propagation of the potentially nefarious script.
The install on Tuesday January 15th, will result in the QuestionPoint service being unavailable for approximately 15 minutes between 6:00AM and 6:15 AM EST (11:00 GMT to 11:15 GMT). As always, please check your question lists after the server bounce, to see if any sessions were truncated or missed.
Please note that this fix will not stop incoming spam e-mail messages. It will however, keep those messages from doing harm to the system overall.
We are continuing to develop other spam-fighting techniques with an eye to deployment over the next two months. Stay tuned!